Splitting up servers & certificates

currently I am running a mail server (dovecot/postfix via iRedMail). It uses Nginx to power the admin backend as well as the webmail (roundcubemail). On my server I have certbot renewing for the following setup.

my crontab is set to run the command to check for certificate renewals.

certbot renew --post-hook ‘service postfix restart; service nginx restart; service dovecot restart’

mail.oregonrenaissance.org (postfix/Dovecot mail server, round cube webmail, iredAdmin backend)

I have 9 websites that also get certificates on the same machine (using the -nginx plugin)


I’d like to move the web hosting to its own machine but the problem is that certbot relies on being able to use port 80 for its authorization checks.

I was thinking that I could just add a command in the --post-hook to scp the certificates to an identical directory on the 2nd server after they are renewed.

I guess my question is, would this work or is there a better way that the email server machine can still get its certificate even though its not listening on port 80 anymore?

1 Like

If you are not going to have any web server on the “problematic” system, you can just use the
--standalone option to spinup a temporary web server to satisfy the HTTP challenge request.

1 Like

Another option, if your DNS provider provides an API for updating the TXT records, is to have the authorization for the mail server use a DNS-01 challenge. That’s what I did recently when splitting out my web server from my mail server for my personal domain. Having certbot spin up its own http server just for the challenge may be easier depending on your setup, though.

1 Like